Windows Analysis Report 3pO1282Kpx

Overview

General Information

Sample Name:	3pO1282Kpx (renamed file extension from none to dll)
Analysis ID:	532438
MD5:	173345845a2a7d0d99c17bdc5445df90
SHA1:	35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
SHA256:	9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Multi AV Scanner detection for domain / URL

Changes security center settings (notifications, updates, antivirus, firewall)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Abnormal high CPU Usage

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 3pO1282Kpx.dll	Virustotal: Detection: 23%			Perma Link
Source: 3pO1282Kpx.dll	ReversingLabs: Detection: 17%

Multi AV Scanner detection for domain / URL

Source: https://45.63.5.129/

Virustotal: Detection: 7%

Perma Link

Compliance:

Uses 32bit PE files

Source: 3pO1282Kpx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: unknown

HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.5:49804 version: TLS 1.2

Source: 3pO1282Kpx.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.500168593.00000000048E8000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524895289.000000000296C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524500782.000000000296C000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.503577553.0000000004C71000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.529381238.00000000049C1000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.513347635.00000000028F2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000016.00000003.524895289.000000000296C000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.524500782.000000000296C000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE90927 FindFirstFileExW,	0_2_6EE90927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE90927 FindFirstFileExW,	2_2_6EE90927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_0297E2C8 FindFirstFileW,	25_2_0297E2C8

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 45.63.5.129 187

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-CHOOPAUS AS-CHOOPAUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN HTTP/1.1Cookie: gKjP=1pPfMaoMdVUlKQUbAdiebE1XTzpT49WAqPCFzf9esRtAAep5qXcDMA3UcMnz2kDny2NkJZ+XzMNPrbuwewGy7ajRk6O8pCIMyS/tk7KPZ1sVOCZDzij8ol0kzhAKz+cyhczW5/Qg7WStsqckEM0Ai/TBhgYa4zLpY2xrkvKaCs5ZjXU46E7u7NfJ6u2+utMTe+1C5zhUB/BGEkeunoDpKbWBm9Kwrc3B7WoAGu/lbHZZe8hOoLZlL9MMnyWT3k4lhqZIOv4dj0Q=Host: 45.63.5.129Connection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804

Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.5.129

Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000026.00000003.746064591.00000184DC77E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000006.00000002.640848244.000001ECCBE5E000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.542568874.000000000466D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.544260152.000000000466F000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.718963355.0000000002BCE000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764271676.0000000002BCE000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.717667638.0000000002BCE000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.763990473.00000184DC700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000016.00000002.544098709.000000000292C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.microsoft
Source: svchost.exe, 00000006.00000002.640739362.000001ECCBE15000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000006.00000003.639867231.000001ECC66A8000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.640572872.000001ECC66AB000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 0000000A.00000002.442020760.0000017F2F613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: rundll32.exe, 00000019.00000002.763936612.0000000002B95000.00000004.00000020.sdmp	String found in binary or memory: https://45.63.5.129/
Source: rundll32.exe, 00000019.00000002.763540592.0000000002B5A000.00000004.00000020.sdmp	String found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDN
Source: rundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmp	String found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNG
Source: rundll32.exe, 00000019.00000002.763540592.0000000002B5A000.00000004.00000020.sdmp	String found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNOz
Source: rundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmp	String found in binary or memory: https://45.63.5.129/fqwqvIpxZYjgSrhYeuylraBSZOVBNdJZxHBzTVnNstuWavuGlHdFStXKFDNb
Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000002.761831217.000002067B43E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000003.415890921.0000017F2F64D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.409525624.0000017F2F669000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.459029231.0000017F2F66B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.442020760.0000017F2F613000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000A.00000003.410767896.0000017F2F64F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.453634339.0000017F2F650000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000A.00000002.452763932.0000017F2F64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000A.00000003.415890921.0000017F2F64D000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000002.452763932.0000017F2F64A000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417035105.0000017F2F649000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.417044646.0000017F2F647000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.410767896.0000017F2F64F000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.453634339.0000017F2F650000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000A.00000003.409552132.0000017F2F652000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000A.00000003.417063384.0000017F2F643000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.451867623.0000017F2F644000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.417049148.0000017F2F642000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: svchost.exe, 0000000A.00000002.451257545.0000017F2F641000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000A.00000002.446840907.0000017F2F629000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000A.00000002.450562403.0000017F2F63D000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000003.362651281.0000017F2F634000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000A.00000003.417058867.0000017F2F63E000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000026.00000003.736509284.00000184DC77E000.00000004.00000001.sdmp, svchost.exe, 00000026.00000003.736795820.00000184DCC02000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000026.00000003.739051194.00000184DC780000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000026.00000003.739051194.00000184DC780000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 25_2_02963394 InternetReadFile,

25_2_02963394

Source: global traffic

Source: unknown

HTTPS traffic detected: 45.63.5.129:443 -> 192.168.2.5:49804 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0.0.loaddll32.exe.1523618.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.520000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.rundll32.exe.2960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.33d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1523618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2a521e0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1523618.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2a521e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f21e8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35624d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35624d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.14d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.33d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.33e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2963508.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.rundll32.exe.2960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.14d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.35f21e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.1523618.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.14d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2963508.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.490792818.00000000006D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.516872338.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.493687779.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.762912607.0000000002960000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.515626652.000000000151C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592715201.000000000354A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.515526987.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.471143849.000000000294A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544935545.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.495396645.000000000151C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.492232954.0000000002A3A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.475419249.0000000000520000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.495107069.00000000014D0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.459775725.0000000000749000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.493911106.000000000151C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592655915.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494249926.00000000035DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.470997195.0000000000700000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.697774412.0000000002B7B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.494093661.00000000033E0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.516972039.000000000151C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.545005644.000000000151C000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: 3pO1282Kpx.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616

Deletes files inside the Windows folder

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg:Zone.Identifier

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE8AC90 appears 33 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6EE71DE0 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE8AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE71DE0 appears 97 times

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,ajkaibu	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3pO1282Kpx.dll,akyncbgollmj	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qfdohhzjskeoxat\kmkxxcep.fzg",diWFDzhLoc	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\3pO1282Kpx.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Qfdohhzjskeoxat\kmkxxcep.fzg",Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2616 -ip 2616	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 308	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2616 -ip 2616	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 316	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:4956:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2616
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:5020:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2144:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE96A93 push ecx; ret	0_2_6EE96AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_005213E7 push esi; retf	2_2_005213F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE96A93 push ecx; ret	2_2_6EE96AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_006D13E7 push esi; retf	4_2_006D13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_033D13E7 push esi; retf	14_2_033D13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_029613E7 push esi; retf	25_2_029613F0

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 2376	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4192	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4252	Thread sleep time: -90000s >= -30000s

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000006.00000002.640818249.000001ECCBE48000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.640848244.000001ECCBE5E000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.542568874.000000000466D000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.544208418.0000000004640000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000002.544260152.000000000466F000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000003.718992325.0000000002BAD000.00000004.00000001.sdmp, rundll32.exe, 00000019.00000002.764113754.0000000002BAD000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.763567279.00000184DC0EF000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.761917887.00000184DC03C000.00000004.00000001.sdmp, svchost.exe, 00000026.00000002.762506607.00000184DC082000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: rundll32.exe, 00000019.00000002.763936612.0000000002B95000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: svchost.exe, 00000006.00000002.640399065.000001ECC6629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`
Source: Amcache.hve.19.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 00000007.00000002.761991641.000002067B468000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.761427353.00000293E1229000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.540804894.0000000004647000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE89990 mov eax, dword ptr fs:[00000030h]	0_2_6EE89990
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE8EC0B mov ecx, dword ptr fs:[00000030h]	0_2_6EE8EC0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE902CC mov eax, dword ptr fs:[00000030h]	0_2_6EE902CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE89920 mov esi, dword ptr fs:[00000030h]	0_2_6EE89920
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE89920 mov eax, dword ptr fs:[00000030h]	0_2_6EE89920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_005307D2 mov eax, dword ptr fs:[00000030h]	2_2_005307D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE89990 mov eax, dword ptr fs:[00000030h]	2_2_6EE89990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE8EC0B mov ecx, dword ptr fs:[00000030h]	2_2_6EE8EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE902CC mov eax, dword ptr fs:[00000030h]	2_2_6EE902CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE89920 mov esi, dword ptr fs:[00000030h]	2_2_6EE89920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE89920 mov eax, dword ptr fs:[00000030h]	2_2_6EE89920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_006E07D2 mov eax, dword ptr fs:[00000030h]	4_2_006E07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_033E07D2 mov eax, dword ptr fs:[00000030h]	14_2_033E07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_2_029707D2 mov eax, dword ptr fs:[00000030h]	25_2_029707D2

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE8A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6EE8A462
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE90326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EE90326
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EE8AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6EE8AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE8A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EE8A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE90326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE90326
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6EE8AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE8AB0C

Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000000.494151990.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.515847002.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.495645602.0000000001C10000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.517132807.0000000001C10000.00000002.00020000.sdmp, rundll32.exe, 00000019.00000002.764558363.0000000002FE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000C.00000002.761941532.000002922263E000.00000004.00000001.sdmp	Binary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000C.00000002.762220648.0000029222702000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

ID:	532438
Product:	CloudBasic
Start time:	09:32:22
Start date:	02.12.2021
Sample:	3pO1282Kpx
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	173345845a2a7d0d99c17bdc5445df90
SHA1:	35ed97b5ac5a3ed0fdc00eabff20f3bfcdfc8a7c
SHA256:	9ed58848f0a7b354a32d4ef67ea9ff70ba75f9238c39d9f1af88fae6811cb504
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.chk	data	BF1DC7D5D8DAD7478F426DF8B3F8BAA6	C6B0BDE788F553F865D65F773D8F6A3546887E42	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
C:\ProgramData\Microsoft\Network\Downloader\edb.log	MPEG-4 LOAS	F78E70A1621F2D5C73A7D5A9F1114557	02444FDD416593D5609ED34E781BD80BBABADB17	B0247AA90FBD07D35C07CD761E4CE4D6E981DE9252E45430CCC8926E10978F45
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0xaa8f4eab, page size 16384, Windows version 10.0	3131682BBEA03E9062431DF4D4A37425	F142C57DE3CE14B3CD740156499470EA607A54EA	FB91C9E4763A52EBD86C30EFED3D88B118CB129C817008A131A46D8674C79312
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	8978474C3FAEE60FE67EC9A3CEECB56B	08DBA96654DF218266F5E94B0F5B218A44880191	DF10EF51ADAA2ECFECA26DA8F0C537592DFFD066AC204167AE7ABA4C370A1D2A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_10c8bd69\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	3A3ED2564A039109118313347F1708C4	F6DDCC7CAC4CA49BA35D04F47513C87A41C912D4	70C976E3B6692CFC41EB7E7465231DF682098510B8CED3F6BABAD57322934D90
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_d71d33d652a62c864cb684e881f783bcee8c2df7_d70d8aa6_12d4f551\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	E042DAF2DC9C863DE6347875D5957573	AF0902501CD2A5179FBBD762FF0B061DD67D86F7	2DDC12FFFF33ADD57AC88C378CF97F48B86C4A98E34B372CC0DB6CA12B9AA4A7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1060.tmp.csv	data	328665A094D81CC2FCB5A0F21A7A4A19	BAF52DBF1E60DB3F75422EB5FF91C58226726C72	B588FDD79B06CF99BB0EF6650DF74AB75139E37C138C61E5CFD7C399A8715453
C:\ProgramData\Microsoft\Windows\WER\Temp\WER13EB.tmp.txt	data	74498F05CEDE84291AB14E0BEEE931EC	173685F447342F3CF74DF0517900C9FD57830437	48F567AE55B235BB8828A703488B94D3BF1450AD46B06BD4B79C33FF8F83A978
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAAC.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 17:35:22 2021, 0x1205a4 type	38BDD294A991B5BDA3B88EB0AEF4E844	CCEE4A5D3C3A859529AB319CCFD5C9D5A28005FA	3F1301C539E5E5B08400D0439CC0AF29E341E7B4878943EBAA11C6F2BFF24F1B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAFED.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	BE78AD3D99466DD597431BDFC39696CA	89CC1B5C0EE3D4E60D59A70DC93A1D52FC75CF68	4FEAD19B1153997839CB05A5B0CC33EDB4153B65D7DFC1D6C7432BE4985FD181
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB349.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3FF9642F2B892DFF5D70F144E42459A3	030FF5B434093F22C44EAF6F0B7B3969C4E2D1F2	CEDA14EB77F235A93E2923D9BFD5F7F17DB41B88E3B355A08A77C720CAC6A9E7
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD66F.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 2 17:35:33 2021, 0x1205a4 type	E3ECF4AB72BEC8ED688353E19C191F41	890523D48D2C970CC46C17F79BBD75108E6E94AB	A0E30DBE92F994FFA1E585B18CF31418097ACCF8FDA52EA4FEE2FAD5CC426509
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE40.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	0375ED25232FD5816BA1A6C32E4D8C30	74DCAB06EDBC31EC2FF5CF1C5E40BFA297FC79BD	8AA8C30F217EE33F64B81940138E2F8AFC974B039814DBCAB48B133BD31E588F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE268.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	72F8264FEC96FC575B1B5E5B12A07146	9B28B40C85481FE154042C341898D2037E652C95	7758F92C3E6DB4BA3B3109DFCF0D5AC6C665BCE73080C3D9909407BA08F38B00
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2A7.tmp.csv	data	194827815D8B2AC522E8BF66C2C6966D	385327742309D0D27C0AD42360C5F2F0A2D3B224	A80AF9B8F112D9F55F0563750D03E758DA804B670949F8B339C6836D2442BCEC
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE884.tmp.txt	data	0D5D9E8F0EA0D8556A705AC088B1691F	45426C44115F30140F0AF85952F2AF22AFB7B30A	2DE70B0EBDA238AD81B22398D2FC4AB4BA4FBFBCFABCC3FCC006A23110C327E1
C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	ASCII text, with no line terminators	DCA83F08D448911A14C22EBCACC5AD57	91270525521B7FE0D986DB19747F47D34B6318AD	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators	F32E205765A5EA75A7D4D781ACDBB3BC	1E1FD988750282F2D43E60C6234EB28EBBCE7913	41F7D2CC292C077B4C108D1AA90C43D33273512442B8AAE1BE659AC4D9876B15
C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211202_173411_162.etl	data	F56C797108F1B0EFC18279554D5F727A	EB91844C9E6B53833D7360602C1E98AABFA5763C	97EAC58D628AAD2EAD17AC9BE3DC905F803A605283BD7178663C69AD75923D81
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	ADD33C28B73DC52233D3FF5D95CA1612	BA83CA6BDC55A68281C5C06CBE878F6FA750CE8C	A004D58EEAC43B48DAA62D17E345FB918FD27CF5EE0336B8BFB38BA4C3CA5342
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	77DEEDF0476D997DAF784E50870E7198	A3376EB61933CD8EF72FFD538C805C4B83FB0AC4	706588ECDADB13CC58740EE6F11A7293EF7ECEA5E191529FF813E580CEBAC555

Windows Analysis Report 3pO1282Kpx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs